diff --git a/.ansible-items/inventory b/.ansible-items/inventory
index 32090d7..5301913 100644
--- a/.ansible-items/inventory
+++ b/.ansible-items/inventory
@@ -1,2 +1,11 @@
-[host]
-{{ DEPLOYMENT_USER }}@{{ DEPLOY_HOSTNAME }} ansible_connection=ssh ansible_user={{ DEPLOYMENT_USER }}
\ No newline at end of file
+all:
+ children:
+ sptarkov:
+ hosts:
+ sp-tarkov:
+ ansible_host: {{ DEPLOY_HOSTNAME }}
+ ansible_user: {{ DEPLOY_USER }}
+ ansible_connection: paramiko_ssh
+ ansible_ssh_pass: {{ DEPLOY_SSH_KEY_PASSPHRASE }}
+ ansible_ssh_user: {{ DEPLOY_USER }}
+ ansible_ssh_private_key_file: /drone/src/private.key # Hardcoded because created by the Drone plugin
\ No newline at end of file
diff --git a/.ansible-items/playbook.yml b/.ansible-items/playbook.yml
index dea7313..a727a10 100644
--- a/.ansible-items/playbook.yml
+++ b/.ansible-items/playbook.yml
@@ -1,6 +1,6 @@
---
- name: install and configure PHP8 and composer
- hosts: host
+ hosts: sptarkov
tasks:
- name: Delete spt-items-api before adding everything again
@@ -36,8 +36,8 @@
- name: Reset files permissions
file:
path: "{{ lookup('env', 'SPT_ITEMS_PATH') }}"
- owner: "{{ lookup('env', 'DEPLOYMENT_USER') }}"
- group: "{{ lookup('env', 'DEPLOYMENT_USER_GROUP') }}"
+ owner: "{{ lookup('env', 'DEPLOY_USER') }}"
+ group: "{{ lookup('env', 'DEPLOY_USER_GROUP') }}"
mode: 0774
recurse: yes
diff --git a/.drone-docker.yml b/.drone-docker.yml
index 4785f9e..b8a1747 100644
--- a/.drone-docker.yml
+++ b/.drone-docker.yml
@@ -21,13 +21,19 @@ steps:
from_secret: deploy_hostname
SPT_ITEMS_HOSTNAME:
from_secret: spt_items_hostname
- DEPLOYMENT_USER:
+ DEPLOY_USER:
from_secret: deploy_username
+ DEPLOY_SSH_KEY_PASSPHRASE:
+ from_secret: deploy_ssh_key_passphrase
+ DEPLOY_PRIVATE_KEY:
+ from_secret: deploy_ssh_key
commands:
- - sed -i 's/{{ SPT_ITEMS_HOSTNAME }}/'"$SPT_ITEMS_HOSTNAME"'/g' ./items/frontend/.env.example
- - mv ./items/frontend/.env.example ./items/frontend/.env
- - sed -i 's/{{ DEPLOY_HOSTNAME }}/'"$DEPLOY_HOSTNAME"'/g' ./.ansible-items/inventory
- - sed -i 's/{{ DEPLOYMENT_USER }}/'"$DEPLOYMENT_USER"'/g' ./.ansible-items/inventory
+ - sed -i 's/{{ SPT_ITEMS_HOSTNAME }}/'"$SPT_ITEMS_HOSTNAME"'/g' ./items/frontend/.env.example
+ - mv ./items/frontend/.env.example ./items/frontend/.env
+ - echo "$DEPLOY_PRIVATE_KEY" > private.key && chmod 600 private.key
+ - sed -i 's/{{ DEPLOY_HOSTNAME }}/'"$DEPLOY_HOSTNAME"'/g' ./.ansible-items/inventory
+ - sed -i 's/{{ DEPLOY_SSH_KEY_PASSPHRASE }}/'"$DEPLOY_SSH_KEY_PASSPHRASE"'/g' ./.ansible-items/inventory
+ - sed -i 's/{{ DEPLOY_USER }}/'"$DEPLOY_USER"'/g' ./.ansible-items/inventory
- name: build frontend
image: node:lts-alpine3.14
@@ -48,22 +54,26 @@ steps:
inventory: ./.ansible-items/inventory
galaxy: ./.ansible-items/requirements.yml
syntax_check: true
+ when:
+ branch:
+ - development
+
- name: apply ansible playbook
image: plugins/ansible:3
settings:
playbook: ./.ansible-items/playbook.yml
inventory: ./.ansible-items/inventory
galaxy: ./.ansible-items/requirements.yml
- private_key:
- from_secret: deploy_ssh_key
+ timeout: 60
+ verbose: 2
environment:
DEPLOY_HOSTNAME:
from_secret: deploy_hostname
SPT_ITEMS_HOSTNAME:
from_secret: spt_items_hostname
- DEPLOYMENT_USER:
+ DEPLOY_USER:
from_secret: deploy_username
- DEPLOYMENT_USER_GROUP:
+ DEPLOY_USER_GROUP:
from_secret: deploy_user_group
SPT_ITEMS_PATH:
from_secret: deploy_path
diff --git a/.drone-kubernetes.yml b/.drone-kubernetes.yml
index 3d09772..d2f8b75 100644
--- a/.drone-kubernetes.yml
+++ b/.drone-kubernetes.yml
@@ -17,17 +17,23 @@ steps:
- name: replace hosts and user variables
image: ubuntu:impish
environment:
- DEPLOY_HOSTNAME:
- from_secret: deploy_hostname
SPT_ITEMS_HOSTNAME:
from_secret: spt_items_hostname
- DEPLOYMENT_USER:
+ DEPLOY_HOSTNAME:
+ from_secret: deploy_hostname
+ DEPLOY_USER:
from_secret: deploy_username
+ DEPLOY_PRIVATE_KEY:
+ from_secret: deploy_ssh_key
+ DEPLOY_SSH_KEY_PASSPHRASE:
+ from_secret: deploy_ssh_key_passphrase
commands:
- - sed -i 's/{{ SPT_ITEMS_HOSTNAME }}/'"$SPT_ITEMS_HOSTNAME"'/g' ./items/frontend/.env.example
- - mv ./items/frontend/.env.example ./items/frontend/.env
- - sed -i 's/{{ DEPLOY_HOSTNAME }}/'"$DEPLOY_HOSTNAME"'/g' ./.ansible-items/inventory
- - sed -i 's/{{ DEPLOYMENT_USER }}/'"$DEPLOYMENT_USER"'/g' ./.ansible-items/inventory
+ - sed -i 's/{{ SPT_ITEMS_HOSTNAME }}/'"$SPT_ITEMS_HOSTNAME"'/g' ./items/frontend/.env.example
+ - mv ./items/frontend/.env.example ./items/frontend/.env
+ - echo "$DEPLOY_PRIVATE_KEY" > private.key && chmod 600 private.key
+ - sed -i 's/{{ DEPLOY_HOSTNAME }}/'"$DEPLOY_HOSTNAME"'/g' ./.ansible-items/inventory
+ - sed -i 's/{{ DEPLOY_SSH_KEY_PASSPHRASE }}/'"$DEPLOY_SSH_KEY_PASSPHRASE"'/g' ./.ansible-items/inventory
+ - sed -i 's/{{ DEPLOY_USER }}/'"$DEPLOY_USER"'/g' ./.ansible-items/inventory
- name: build frontend
image: node:lts-alpine3.14
@@ -48,22 +54,26 @@ steps:
inventory: ./.ansible-items/inventory
galaxy: ./.ansible-items/requirements.yml
syntax_check: true
+ when:
+ branch:
+ - development
+
- name: apply ansible playbook
image: plugins/ansible:3
settings:
playbook: ./.ansible-items/playbook.yml
inventory: ./.ansible-items/inventory
galaxy: ./.ansible-items/requirements.yml
- private_key:
- from_secret: deploy_ssh_key
+ timeout: 60
+ verbose: 2
environment:
- DEPLOY_HOSTNAME:
- from_secret: deploy_hostname
SPT_ITEMS_HOSTNAME:
from_secret: spt_items_hostname
- DEPLOYMENT_USER:
+ DEPLOY_HOSTNAME:
+ from_secret: deploy_hostname
+ DEPLOY_USER:
from_secret: deploy_username
- DEPLOYMENT_USER_GROUP:
+ DEPLOY_USER_GROUP:
from_secret: deploy_user_group
SPT_ITEMS_PATH:
from_secret: deploy_path
diff --git a/items/README.md b/items/README.md
index 9b22418..181e465 100644
--- a/items/README.md
+++ b/items/README.md
@@ -14,6 +14,7 @@
| deploy_username | The default username to use on the remote server
used by Ansible SSH | www-data |
| deploy_user_group | The default user group to use on the remote server
used to set permission on the website folder | www-data |
| deploy_ssh_key | The **content** of the ssh private key used to connect to the remote server
The key needs to be in RSA in "RSA PRIVATE KEY" format
The ssh publick key needs to already be in the user used in the remote server ~/.ssh/authorized_keys | -----BEGIN RSA PRIVATE KEY-----
The key
-----END RSA PRIVATE KEY----- |
+| deploy_ssh_key_passphrase | The passphrase to decrypt the SSH private key | test |
## ⚠ Important notes for the deployment ⚠
* Add all required secrets in Drone
diff --git a/items/docs/Walkthrough.md b/items/docs/Walkthrough.md
index ce56bac..85ef636 100644
--- a/items/docs/Walkthrough.md
+++ b/items/docs/Walkthrough.md
@@ -4,7 +4,6 @@
* [Overview](#overview)
* [Pipeline definition](#pipeline-definition)
* [Pipeline concurrency](#pipeline-concurrency)
-* [Environment variables](#environment-variables)
* [Triggers](#triggers)
* [Steps](#steps)
* [Fetch and update submodules](#Fetch-and-update-submodules)
@@ -46,13 +45,6 @@ concurrency:
```
The pipeline is set to only one build at a time (every subsequent build with be pending).
-## Environment variables
-```yml
-environment:
- SPT_ITEMS_PATH: /var/www/html/aki/spt-items-api
-```
-Here are the environment variables. They are automatically injected in every step.
-
## Triggers
```yml
trigger:
@@ -70,24 +62,31 @@ The pipeline is run on every push only on branches `master`, `main` and `develop
- name: replace hosts and user variables
image: ubuntu:impish
environment:
- DEPLOY_HOSTNAME:
- from_secret: deploy_hostname
SPT_ITEMS_HOSTNAME:
from_secret: spt_items_hostname
- DEPLOYMENT_USER:
+ DEPLOY_HOSTNAME:
+ from_secret: deploy_hostname
+ DEPLOY_USER:
from_secret: deploy_username
+ DEPLOY_PRIVATE_KEY:
+ from_secret: deploy_ssh_key
+ DEPLOY_SSH_KEY_PASSPHRASE:
+ from_secret: deploy_ssh_key_passphrase
commands:
- - sed -i 's/{{ SPT_ITEMS_HOSTNAME }}/'"$SPT_ITEMS_HOSTNAME"'/g' ./items/frontend/.env.example
- - mv ./items/frontend/.env.example ./items/frontend/.env
- - sed -i 's/{{ DEPLOY_HOSTNAME }}/'"$DEPLOY_HOSTNAME"'/g' ./.ansible-items/inventory
- - sed -i 's/{{ DEPLOYMENT_USER }}/'"$DEPLOYMENT_USER"'/g' ./.ansible-items/inventory
+ - sed -i 's/{{ SPT_ITEMS_HOSTNAME }}/'"$SPT_ITEMS_HOSTNAME"'/g' ./items/frontend/.env.example
+ - mv ./items/frontend/.env.example ./items/frontend/.env
+ - echo "$DEPLOY_PRIVATE_KEY" > private.key && chmod 600 private.key
+ - sed -i 's/{{ DEPLOY_HOSTNAME }}/'"$DEPLOY_HOSTNAME"'/g' ./.ansible-items/inventory
+ - sed -i 's/{{ DEPLOY_SSH_KEY_PASSPHRASE }}/'"$DEPLOY_SSH_KEY_PASSPHRASE"'/g' ./.ansible-items/inventory
+ - sed -i 's/{{ DEPLOY_USER }}/'"$DEPLOY_USER"'/g' ./.ansible-items/inventory
```
Executed on every push. \
The following environment variables are injected using Drone secrets:
* `SPT_ITEMS_HOSTNAME` is used by the frontend to call the backend.
* `DEPLOY_HOSTNAME` is used by Ansible to connect to the remote server via SSH.
- * `DEPLOYMENT_USER` is used by Ansible to connect to the remote server via SSH.
- * all environment variables at the pipeline level (see [Environment variables](#environment-variables))
+ * `DEPLOY_USER` is used by Ansible to connect to the remote server via SSH.
+ * `DEPLOY_PRIVATE_KEY` is the SSH key used to connect to the remote server via SSH
+ * `DEPLOY_SSH_KEY_PASSPHRASE` is the SSH key passphrase
Using `sed` makes temporary changes in the container/pod instead of commiting secrets in the repo in plain text. \
The changes are never pushed and are discarded when the container/pod is terminated.
@@ -133,15 +132,19 @@ Check the Ansible syntax in [playbook.yml](../.ansible/playbook.yml), [inventory
playbook: ./.ansible-items/playbook.yml
inventory: ./.ansible-items/inventory
galaxy: ./.ansible-items/requirements.yml
- private_key:
- from_secret: deploy_ssh_key
+ timeout: 60
+ verbose: 2
environment:
- DEPLOY_HOSTNAME:
- from_secret: deploy_hostname
SPT_ITEMS_HOSTNAME:
from_secret: spt_items_hostname
- DEPLOYMENT_USER:
+ DEPLOY_HOSTNAME:
+ from_secret: deploy_hostname
+ DEPLOY_USER:
from_secret: deploy_username
+ DEPLOY_USER_GROUP:
+ from_secret: deploy_user_group
+ SPT_ITEMS_PATH:
+ from_secret: deploy_path
when:
branch:
- master
@@ -153,14 +156,15 @@ This step is [idempotent](https://en.wikipedia.org/wiki/Idempotence). \
The following environment variables are injected using Drone secrets:
* `SPT_ITEMS_HOSTNAME` is used by the PHP env file.
* `DEPLOY_HOSTNAME` is used to connect to the remote server via SSH.
- * `DEPLOYMENT_USER` is used to connect to the remote server via SSH.
- * all environment variables at the pipeline level (see [Environment variables](#environment-variables))
+ * `DEPLOY_USER` is used to connect to the remote server via SSH.
+ * `DEPLOY_USER_GROUP` is the user group, used to give read/write/execute permissions to the whole group. It must be the same as Nginx's user.
+ * `SPT_ITEMS_PATH` is the path on the remote server where the files will be copyed to.
#### Playbook definition
```yml
-hosts: host
+hosts: sptarkov
```
-Uses the host defined in [inventory](../.ansible/inventory). Remember, the step [Replace hosts and user variables](#replace-hosts-and-user-variables) already replaced the variables at this point. The playbook will be executed as `root` user using `sudo`.
+Uses the host defined in [inventory](../.ansible/inventory). Remember, the step [Replace hosts and user variables](#replace-hosts-and-user-variables) already replaced the variables at this point.
#### Delete old spt-items-api
```yml
@@ -170,7 +174,7 @@ Uses the host defined in [inventory](../.ansible/inventory). Remember, the step
path: "{{ lookup('env', 'SPT_ITEMS_PATH') }}"
```
Since the copy does not override the folder, this step takes care of it. \
-`SPT_ITEMS_PATH` is injected thanks to the pipeline level environment variables (see [Environment variables](#environment-variables))
+`SPT_ITEMS_PATH` is injected in the environments properties (see [Apply ansible playbook](#apply-ansible-playbook))
#### Copy the project
```yml
@@ -189,7 +193,7 @@ Copies the whole project (frontend and backend) from the [api](../api) folder in
dest: "{{ lookup('env', 'SPT_ITEMS_PATH') }}/.env"
```
Uses [Jinja2](https://jinja2docs.readthedocs.io/en/stable/) to resolve the [template for the PHP .env file](../.ansible/templates/.php_env.j2). \
-`SPT_ITEMS_PATH` is injected thanks to the pipeline level environment variables (see [Environment variables](#environment-variables)). \
+`SPT_ITEMS_PATH` is injected in the environments properties (see [Apply ansible playbook](#apply-ansible-playbook)) \
`SPT_ITEMS_HOSTNAME` is injected in the environments properties (see [Apply ansible playbook](#apply-ansible-playbook))
#### Get JavaScript chunks name
@@ -200,7 +204,7 @@ Uses [Jinja2](https://jinja2docs.readthedocs.io/en/stable/) to resolve the [temp
register: find_output
```
Prepare a find of all JavaScript chunk files for the [app.blade.php.j2](../.ansible/templates/app.blade.php.j2) template. \
-`SPT_ITEMS_PATH` is injected thanks to the pipeline level environment variables (see [Environment variables](#environment-variables)).
+`SPT_ITEMS_PATH` is injected in the environments properties (see [Apply ansible playbook](#apply-ansible-playbook))
#### Get file names from find output
```yml
@@ -218,7 +222,7 @@ Splits the string containing the list of all JavaScript chunk files for the [app
dest: "{{ lookup('env', 'SPT_ITEMS_PATH') }}/resources/views/app.blade.php"
```
Uses [Jinja2](https://jinja2docs.readthedocs.io/en/stable/) to resolve the [template for the PHP app.blade.php file](../.ansible/templates/app.blade.php.j2). \
-`SPT_ITEMS_PATH` is injected thanks to the pipeline level environment variables (see [Environment variables](#environment-variables)).
+`SPT_ITEMS_PATH` is injected in the environments properties (see [Apply ansible playbook](#apply-ansible-playbook)).
#### Download and install composer dependencies
```yml
@@ -233,17 +237,16 @@ Uses [Jinja2](https://jinja2docs.readthedocs.io/en/stable/) to resolve the [temp
- name: Reset files permissions
file:
path: "{{ lookup('env', 'SPT_ITEMS_PATH') }}"
- owner: "{{ lookup('env', 'DEPLOYMENT_USER') }}"
- group: www-data
+ owner: "{{ lookup('env', 'DEPLOY_USER') }}"
+ group: "{{ lookup('env', 'DEPLOY_USER_GROUP') }}"
mode: 0774
recurse: yes
```
Permissions 0644:
* user: read/write/execute
- * group: read
+ * group: read/write/execute (for Nginx to execute the php as well as write in the Laravel logs)
* other: read
-`www-data` is hardcoded here but it should be the standard user for Apache and Nginx. \
-`SPT_ITEMS_PATH` is injected thanks to the pipeline level environment variables (see [Environment variables](#environment-variables)).
+`SPT_ITEMS_PATH` is injected in the environments properties (see [Apply ansible playbook](#apply-ansible-playbook)).
#### Initialize database
```yml